Page 74 - Cyber Warnings August 2017
P. 74

But verifying trust consistently is difficult if encryption is not implemented consistently across
               environments from boot—a practice that allows enterprises to avoid mistakes and malicious
               activity.

               2. Maintain Absolute Key Control

               For full control over assets, enterprises need absolute control over keys. This control allows enterprises
               to ensure that sensitive assets are encrypted and remain so, and to determine how data is used and by
               what entities.

               Unfortunately, even if provider-offered encryption is described as “customer controlled,” keys
               may or may not be permitted to reside on the enterprise’s premises. Storing keys on-premises in
               a hardware security module (HSM) or in a secure, customer-owned environment is the only way
               to confirm that third-party access has been prevented and that keys can be changed if issues
               arise. Any enterprise subject to compliance concerns should be particularly aware of this
               practice, as key control plays a big role in many major regulations, including PCI DSS and
               HIPAA.

               3. Ensure Tight Key Access and Authentication

               Tight management of key access and authentication of access is critical to eliminating misuse of
               keys. The single-key nature of CSP-offered encryption such as AWS’s Key Management
               System means that any user with access to the Customer Master Key can decrypt resources.

               Access to keys should be authenticated and logged for maximum visibility. Without control over
               key access, it is difficult for IT to ensure that it can be agilely responsive to any possible
               breaches or back doors. To further eliminate these risks, encryption should be managed with a
               consistent key management framework across environments.

               4. Enforce Regular Key Rotation

               Key rotation (both temporally and spatially) is essential for effective encryption. The amount of
               time any given key is used should be limited, so limited exposure occurs in the event of
               compromise. Likewise, the amount of data that is protected by any given key should also be
               limited, so that any key permits access to only a small amount of sensitive data.

               Automating rotation of keys and the amount of data that the enterprise encrypts with any given
               key cuts down on operational overhead. Further, having a single encryption scheme across
               environments helps ensure consistent and regular key rotation, simplifying the process
               exponentially.

               5. Evaluate Solutions for Agility

               Enterprises need to ensure that crypto agility is at the heart of whatever encryption solution they
               adopt. If a back door is discovered, a popular encryption algorithm is compromised, or a major
               breach occurs, IT security teams must be able to nimbly respond and protect the security of
               enterprise assets. The ability to revoke keys and set up new crypto in place of the original
               algorithm is essential, but many solutions on the market don’t make that process simple.
               Without crypto agility as a guiding principle for the encryption solution in place, IT cannot
               guarantee an agile response.

                    74   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   69   70   71   72   73   74   75   76   77   78   79